For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

RAQS's avatar
RAQS
Icon for Cirrus rankCirrus
Apr 16, 2020
Solved

What happen when we enable HTTP/2 in an existing VIP.

Hi All,

 

Hope you all are doing good!

 

I have BIG-IP LTM module running on 13.1.1.4 version (and its in HA) , which means as per me is that version is 13.1.1 and build is 4 please correct if i am wrong.

 

I have a requirement where i need to enable HTTP/2 for an existing VIP. I was doing google and got to know that if we enable HTTP/2 then the Traffic Management Microkernel (TMM) may restart when a virtual server has an HTTP/2 profile with Application Layer Protocol Negotiation (ALPN) enabled and it processes traffic where the ALPN extension size is zero .

 

Refer :- https://support.f5.com/csp/article/K94563344

 

As i can not do upgrade right away , so can you please help me with mitigation or workaround to avoid this bug.

Like by anyway can i disable ALPN ? when i enable HTTP/2 or any other steps to mitigate this.

 

Or , we can directly enable HTTP/2 , it will not have an imact.

 

Regards,

Shekhars

application delivery
BIG-IP
LTM
  • Simon_Blakely's avatar
    Simon_Blakely
    Apr 16, 2020

    Actually, you can't on 13.1.1.4, as NPN is no longer supported.

     

    K04412053:  Overview of the BIG-IP HTTP/2 profile

     

    Activation Modes

    ALPN

    Specifies how the BIG-IP system negotiates HTTP/2 protocol. By default, the BIG-IP system accepts Application Layer Protocol Negotiation (ALPN). 

    Beginning in version 13.1.0, the BIG-IP system no longer supports Next Protocol Negotiation (NPN), which is now deprecated and replaced by the industry standard ALPN published as RFC 7301. Prior to BIG-IP 13.1.0, the NPN is accepted by the BIG-IP system.

     

    Sorry - you don't really have any options to safely implement HTTP/2.

4 Replies

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Apr 16, 2020

    You don't have too many choices

     

    1) Disable ALPN and rely on NPN, which is deprecated and has limited browser support

     

    2) Enable HTTP/2 with ALPN, and hope that you don't get connections that cause tmm to restart

     

    3) push for an upgrade to 13.1.3.3 before enabling HTTP/2

     

     

    • RAQS's avatar
      RAQS
      Icon for Cirrus rankCirrus
      Apr 16, 2020

      Hi Blakely,

       

      Thanks for your prompt response.

       

      So coming to option 1 , how we will achieve that in version 13.1.1.4 ==> Steps to do that

       

      Option 2 is like to leave thing on fate and wait & watch.

       

      Option 3 we will do but that will take time.

       

      So, can you please help with Option 1 and how i will perform steps via GUI or CLI.

       

      Regards,

      Shekhars

      • Simon_Blakely's avatar
        Simon_Blakely
        Icon for Employee rankEmployee
        Apr 16, 2020

        Actually, you can't on 13.1.1.4, as NPN is no longer supported.

         

        K04412053:  Overview of the BIG-IP HTTP/2 profile

         

        Activation Modes

        ALPN

        Specifies how the BIG-IP system negotiates HTTP/2 protocol. By default, the BIG-IP system accepts Application Layer Protocol Negotiation (ALPN). 

        Beginning in version 13.1.0, the BIG-IP system no longer supports Next Protocol Negotiation (NPN), which is now deprecated and replaced by the industry standard ALPN published as RFC 7301. Prior to BIG-IP 13.1.0, the NPN is accepted by the BIG-IP system.

         

        Sorry - you don't really have any options to safely implement HTTP/2.